InfoPol Logoinfopol
Sign In

Certification Prep

Prepare documentation and evidence for ISO 27001, SOC 2, or E-ITS audits

Certification Prep

Certification audits have specific requirements. Framework-specific preparation ensures you're ready for what auditors will examine.

ISO 27001 Preparation

ISO 27001 auditors focus on:

  • Statement of Applicability (SOA): Which controls apply and why
  • Risk assessment: Formal risk treatment plan
  • ISMS documentation: Policies, procedures, and records
  • Evidence of operation: Logs, reviews, and continuous improvement

[Screenshot: ISO 27001 Checklist] Placeholder: Framework-specific preparation checklist

SOC 2 Preparation

SOC 2 Type II audits require:

  • System description: Architecture and boundaries
  • Control design: How controls are implemented
  • Operating effectiveness: Evidence controls worked over audit period (typically 6-12 months)
  • Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy

E-ITS Preparation

E-ITS compliance involves:

  • Security measures: Technical and organizational controls
  • Incident reporting: Evidence of incident detection and response
  • Risk management: Documented risk assessment and treatment
  • Compliance documentation: Policies and procedures

[Screenshot: Framework Comparison] Placeholder: Side-by-side view of framework requirements

Pre-Audit Activities

8-12 weeks before audit:

  1. Run gap analysis to identify missing evidence
  2. Collect documentation from all sources
  3. Interview stakeholders to document processes
  4. Test controls to verify they work as described
  5. Document exceptions and remediation plans

Evidence Organization

Organize evidence by control:

  • Link policies to relevant controls
  • Attach screenshots showing control implementation
  • Include logs demonstrating continuous operation
  • Document control testing results

[Screenshot: Evidence Package] Placeholder: Organized evidence collection by framework requirement

Mock Audits

Conduct internal audit before certification:

  • Review random sample of controls
  • Request evidence as auditor would
  • Identify weak documentation
  • Practice explaining implementations

Next Steps